A Guide to Business Continuity Planning in Education

In the age of ransomware, maintaining business continuity planning in education has never been so important.

Consider the mindset of today’s cyber-criminals …

How much money would an elite university be willing to pay to restore all its data—accounting systems, student records, payroll, financial aid data—after an infection?

We already know small local governments are willing to pay hundreds of thousands of dollars in ransom payments. There’s even more at stake for large colleges that have even bigger budgets than those municipalities—and more sensitive data. A successful attack won’t just cost these schools a ransom payment. It could shut down the college.

The threats are numerous

Ransomware is only one part of the picture.

At a time when everything is stored digitally, data in higher education has become incredibly valuable. As such, the risks have become incredibly dangerous.

Colleges of all sizes need to be prepared for a wide variety of adverse situations:

Malware attacks and viruses

Accidental file deletion

Phishing attacks

Misconfigured data migrations / overwrites

Hardware failure

Application crashes

Additionally, there’s the risk of physical damage to infrastructure, like fire, flooding, and severe weather—not to mention the threat of human harm to students, staff and visitors.

All of this needs to be factored into an institution’s business continuity planning. Weaknesses in any one area could spell disaster for an ill-prepared university.

Hackers demand $2 million from NYC college

Monroe College was one of the latest American colleges to feel the pain of a ransomware attack.

In July 2019, the NYC-based school was sidelined by an infection that knocked down its email systems, website and several information systems.

Hackers demanded a staggering $2 million to restore the college’s data. While it’s not known whether Monroe paid up, the attack itself was enough to disrupt the college at the worst possible time: just prior to the start of a new school year.

Experts warn that college ransomware attacks are on the rise as hackers deploy more targeted attacks in hopes of securing larger ransom payments. Other schools attacked this year include Oberlin, Grinnell, Hamilton, Regis and Stevens Institute of Technology.

Business continuity planning in education

Colleges and universities must have detailed plans for preventing, responding to and recovering from a multitude of disaster scenarios. The foundation of this planning is a business continuity plan (BCP).

A business continuity plan for colleges is much like a BCP for any other organization. It’s a comprehensive document that should outline all the systems and protocols for mitigating the impact of a disruption.

At a college, some departments may require their own specific continuity planning. For example, Alabama Crimson Tide’s $56 million football program may have completely different continuity objectives than its admissions department. But even when department-specific plans are in place, there should still be a single college-wide BCP that provides a continuity framework for all other units to follow.

Sample business continuity plan outline for colleges

While every BCP should be developed according to the specific needs of the institution, these are some of the core categories that should be in every plan:

Plan objectives: What the plan aims to achieve and what its areas of focus are, i.e. all disaster planning or IT-specific concerns.

Key contacts: Who wrote the plan, who maintains it, which stakeholders “need to know first” when recovery plans need to be activated.

Risks: An assessment of all likely disaster situations that pose a risk to a university’s operations, systems or people.

Impact: An analysis of how each risk will negatively impact the organization.

Prevention: Implemented systems and protocols for preventing disruptions from occurring.

Response: Immediate steps for mitigating a disaster situation, assessing the damage and/or getting people to safety.

Recovery: Procedures for fully restoring systems and operations.

Contingencies: A list of secondary resources, equipment or locations to be utilized if primary means are destroyed or inaccessible.

Communication: How recovery personnel will remain in contact and communicate important status updates to all affected parties (students, staff, parents, etc.).

Recommendations: Suggested improvements and solutions for weaknesses that are identified in the existing continuity planning.

Plan review schedule: Timeline for reviewing the plan and making updates on a regular basis throughout the year.

Assessing risks

The risk assessment and impact analysis are arguably the most important components of a business continuity plan. Without them, you’ll never truly know which disaster scenarios to prepare for or how they would disrupt the school.

Aren’t the risks the same for every college? Not necessarily. While many institutions share the same types of risks, some schools will be naturally more prone to certain disruptions than others.

For example, schools located along the southeastern U.S. coastline will be more at risk of hurricanes. Universities in southern California will be more at risk of earthquakes.

And what about large-scale political demonstrations and student sit-ins? How about cyberattacks? Utility outages? River flooding?

Each school will have its own unique risks, which is why it’s important to assess them all individually.

A thorough impact analysis will consider all these factors and how they translate into actual monetary costs.

It does not matter whether the university is public, private, for-profit or non-profit. Like any organization, schools must be focused on continuity and the bottom line. A failure to understand the impact of a major disaster could spell doom for an already struggling college.

A risk of closure

Since 2016, more than 120 for-profit and non-profit colleges have closed down permanently, due to shrinking enrollment and other factors.

A 2016 report by Ernst & Young found 800 schools to be vulnerable to closure, due to “critical strategic challenges.” These schools, which tend to enroll fewer than 1,000 students, are the most at risk of being shuttered by an unexpected disaster.

Even a single ransomware attack could be enough to force a small college to permanently close its doors. This is why every school, regardless of size, needs to take continuity planning seriously.

The role of data backup

Data backup plays a vital role in business continuity for higher education. Without it, institutions leave themselves open to the risk of prolonged downtime when data loss inevitably happens.

That downtime can be costly.

Consider the impact of a ransomware attack that blocks access to all student applications and records within an admissions department. Or the loss of financial aid applications and award statuses. Even a single accounting spreadsheet that somebody accidentally deletes can derail an entire department for days.

Depending on the size of the school, each hour of downtime can cost anywhere from $10,000 to $5 million, according to an analysis by Datto.

Schools need to be backing up their data at least once a day, at minimum, across every department.

Tip: Today’s best disaster recovery solutions enable universities to back up their data as often as every 5 minutes, minimizing the risk of data loss.

Preparing for natural disaster

Natural disasters pose a risk to both people and IT systems.

In preparation for Hurricane Dorian, several universities along the southern coastline announced they would close down for the storm. And while this itself is an operational disruption, it’s also smart planning. Closing the campuses ensured the safety of staff and students by allowing them to stay home or evacuate.

But behind the scenes, schools took other precautions too. With the risk of severe flooding and the potential for damage to IT infrastructure, Florida universities needed to be sure their critical data would be secure, as well.

For well-prepared colleges, this meant storing backups off-site, away from the threat of disaster.

Tip: Schools should strongly consider hybrid cloud backups, which keep backups in two locations: on campus for the fastest-possible recovery speeds, and in the cloud for added protection against on-site disasters.

Emergency response

The moments immediately following a disaster will almost always dictate the speed and success of the recovery.

If steps aren’t taken immediately to assess the situation and mitigate the damage, then recovery efforts will take much longer. On the flipside, if disaster-response protocols are activated right away, then the odds of a full recovery will be far greater.

Effectively responding to various types of disasters is challenging without a detailed emergency response plan in place. Designated recovery teams should know exactly what to do after a disruption—whether it’s people-focused (i.e. seeking safety for students) or IT-related (i.e. restoring a backup after data loss).

Degraded service vs. full recovery

Keep in mind that no school will be able to instantly recover from a major disaster. So your continuity planning needs to outline how critical functions should continue at a degraded service level.

First, identify which operations are most vital (the functions that cannot be disrupted no matter what). Determine what’s needed to keep those operations running at a minimum level – i.e. technology, equipment, personnel, electricity, etc.

Each operation, and indeed each unit of the college, will have its own requirements. But in order for a full recovery to be possible, proper planning must be in place to keep these essential functions running.

Stronger data protection for colleges and universities

Get more guidance on implementing stronger continuity planning and systems for your school. Request a free demo of advanced data backup solutions that can protect against data loss, ransomware and downtime. Or for more information, contact our business continuity experts at Invenio IT: call (646) 395-1170 or email success@invenioIT.com.

Tracy Rock is the Director of Marketing at Invenio IT. Tracy is responsible for all media-related initiatives as well as external communications—including, branding, public relations, promotions, advertising and social media. She is one busy lady and we are lucky to have her!

Invenio IT is the backbone for my disaster recovery solution. If I have anything wrong with my backups I am getting a call from Dale. This type of support is awesome especially when backing up 100+ servers.

Clyde Cornelius

15:08 07 Jun 18

Invenio IT has provided us with an excellent BDR solution in the Datto SIRIS. An enterprise-level solution at a reasonable cost, along with simplicity and ease-of-use, were a few items that helped us move to a Datto SIRIS.
The only surprise was the extremely detailed level of service and support we received from Invenio IT. After 20 years of IT experience as a support professional myself, I did not expect to be surprised by the sustained, over-the-top level of support and professionalism that we received from Dale and the Invenio IT team. But I was surprised, and very happily so. Actually, I couldn't be happier!

Edward Caco

15:31 05 Jun 18

The Datto Siris product works well and the web portal for management is excellent. My Invenio Rep is attentive, gets in front of issues and monitors the backup service.

Theodore Herrmann

21:35 04 Jun 18

Great product! Great Service. I was up and running in no time.

Robert Bearry

19:41 04 Jun 18

I highly recommend Invenio IT to everyone. They provide amazing customer service. They are very responsive, and quick to resolve any issues or concerns. They have been a tremendous resource for several IT projects. One product / service in particular that is an absolute must is their backup services using the Datto SIRIS. This is just one example of many that has simplified my life while giving me much improved data security. I have full confidence and peace of mind knowing my
data is secure and always available. By far the absolute best IT company I have ever dealt with.

William Porche

19:33 04 Jun 18

I am very pleased with the Datto project and support offered at Invenio IT. The professionalism and speedy response to all of my issues have been handled impeccably. I would highly recommend their services.
-Billy

Yogesh Mantri

21:09 24 May 18

We were looking for a product which will verify the backup everyday without our intervention. For our size, Datto Alto 4 by far is the best product available on the market for the up-front and recurring price. Everyday it shows that the image backup is boot-able. We did the test by visualizing the server in the cloud and connecting seven work stations to it, and it worked flawlessly.Dale from Invenio IT was there every step of the way from purchase to install to testing. He provided exceptional service. He oriented us to Datto environment very well and is always available to answer questions. Further, every day he is monitoring the backups and ensuring the success. We are very pleased with the results. Thank you Dale!

Kim Zayac

16:41 03 Nov 17

Datto/Invenio was installmental in saving my business. The SIRS had a snapshot of beginning of the day. So I was good to go in minutes with the last backup thank you invenioIT.

Rachel Leventhal

21:34 17 Aug 17

We have the Datto SIRIS through Invenio IT and we couldn't be happier. Great team with exceptional customer service. Keep up the good work!

gramfer

12:36 03 Aug 17

Invenio IT is simply awesome! I have been working with Dale for a couple of years now and the service and after sales support is great. I have submitted support requests and literally have had them resolved in under 20 minutes. That is great service!

Paul Gugel

01:23 26 Jul 17

I have a SIRIS2 backup hardware which is an outstanding product and Invenio IT is one of the best support companies out there. They keep me informed of anything that is going on with my backups.

Date Kouy

20:06 20 Jul 17

Quick response and good customer relationship. We been working with Invenio for over a year and it has been good results all around. Keep up the good work.

Grant Brown

20:34 18 Jul 17

Incredible professionalism from the Invenio staff. Hard working, a joy to do business with, and true innovators. This is a company that values its partnerships and will always do what's best for the customer.

Ron Rizzi

20:09 17 Jul 17

So... how complicated would your life be if you lost precious data files and there was no chance of recovery. Sounds scary. Yes it does. Life can be easier. You can take an associates human error of erasing or losing work or even an equipment failure that would have you work through the weekend in stride. Deploying a DATTO Sirus will protect your data locallly and in the cloud with so many easy ways to recover when the need arises. Support is excellent and reliable. Get a DATTO Sirus and rest... assured!

Jason Blair

16:51 17 Jul 17

Solid Datto support for our server systems. In the rare event there's been an issue, Invenio often knows before we do and has a fix ready. They are highly responsive to questions and keep our backup system.

Matthew Fex

16:35 17 Jul 17

The fantastic Datto SIRIS coupled with the helpful folks at Invenio IT have let me stop worrying about my backups and disaster recovery plans to focus on more important things such as my morning coffee and keeping users from destroying the network before lunch.

Gary Collier

16:11 17 Jul 17

Great partner to have. I recently joined the company I work for and found that they have a Datto backup system. I have never used the system and with the assistance of Dale at Invenio IT the learning curve has been an easy one. They typically let me know if something has gone wrong before I even knew it happened. Bottom line, outstanding support. I would highly recommend them for your IT services needs.

Gregory Carwile

16:08 17 Jul 17

Purchasing my SIRIS3 through Invenio IT has been one of the best decisions I’ve made. They always reach out to help whenever a problem arises, often before I even know there’s an issue with my backups. When my business got hit with Ransomware, I was able to restore my entire environment within a matter of hours thanks to my SIRIS3 and Invenio IT!

annmarie kotsianas

03:20 02 Jul 17

The Invenio IT staff is friendly and knowledgeable! They really know everything about the Datto SIRIS

Michael Marlin Jr.

16:50 28 Jun 17

Can't say enough about the folks at Invenio. They are experts in business continuity and a pleasure to work with!

Leander Gillard

16:19 19 May 15

Invenio IT is a great organization to work with. Their consulting and managed services are exceptional are always at the leading edge of I.T. Strategy and execution, anticipating what you need before you experience an expensive order of magnitude "issue". They lead with integrity and clear down to earth communications. Highly recommended.

Employment Employment

15:04 06 May 15

Great company medium sized organizations, handles all the management of data integrity, data redundancy/backup and all of your data management needs. I was truly lucky to have a excellent company supporting my orgazation when we did actually encounter data issues. Invenio IT was able to quickly assess and analyze the problem and then fix our issues with no down-time and little to no effect on our user base. Thank you Invenio IT.

T. Rock

14:22 06 May 15

Invenio IT has supported my business for the past few years and I have had a great experience. The staff is knowledgeable and go out of their way to make technology simple to understand. If you are in need of a strategic (and friendly) IT partner, I would consider this company.